kubeflow on kubernetes: existing_arrikto: add instructions for connecting with LDAP/AD #898
Conversation
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
|
/assign |
|
Fixes #901 |
|
@yanniszark Would you like this fix to be considered part of the Kubeflow Doc Sprint? If so, it's not too late to register for the doc sprint. :) Details, including the registration link, are on the wiki: |
| As you saw in the overview, we use [Dex](https://github.com/dexidp/dex) for providing user authentication. | ||
| Dex supports several authentication methods: | ||
|
|
||
| * Static Users (what we used so far) |
There was a problem hiding this comment.
Recommended wording:
Static users, as described above
|
|
||
| * Static Users (what we used so far) | ||
| * LDAP / Active Directory | ||
| * External IdP (eg Google, LinkedIn, Github, ...) |
There was a problem hiding this comment.
Some tech writing best practices:
- Since this is the first time you're using the abbreviation "IdP", you should spell it out in full first so people don't have to look it up.
- Replace "eg" with "for example,". The reason is that many people confuse "e.g." and "i.e.", and abbreviations like "eg" can be confusing for people whose first language is other than English.
- For "Google" (and maybe for other providers in the list?) do we need to say which of the providedc auth mechanisms we're referring to?
- Capitalization: "GitHub".
There was a problem hiding this comment.
Thanks for the advice, fixed accordingly.
For "Google" (and maybe for other providers in the list?) do we need to say which of the providedc auth mechanisms we're referring to?
Dex doesn't specify explicitly, so I think it's better for users to check out Dex's documentation.
|
|
||
| This section focuses on setting up Dex to authenticate with an existing LDAP database. | ||
|
|
||
| 1. **[OPTIONAL]** If you don't have an LDAP database, you can set up one following these instructions: |
There was a problem hiding this comment.
Change the square brackets to round brackets (parentheses), as square brackets usually indicate some coding convention or other. Also, it's not necessary to use caps as well as bold text - it may seem over-emphatic to the reader:
***(Optional)***
|
|
||
| This section focuses on setting up Dex to authenticate with an existing LDAP database. | ||
|
|
||
| 1. **[OPTIONAL]** If you don't have an LDAP database, you can set up one following these instructions: |
There was a problem hiding this comment.
Word order (it's tricky :) ) - change "set up one" to "set one up".
|
|
||
| ```bash | ||
| kubectl exec -it -n kubeflow ldap-0 -- bash | ||
| ldapadd -x -D "cn=admin,dc=arrikto,dc=com" -W |
There was a problem hiding this comment.
Just checking: Is the use of arrikto here intentional (that is, all users must use this value) or is it just an example?
The same comment applies to line 289 above.
There was a problem hiding this comment.
This is the example configuration we demoed in the community meeting.
It's an example of what an LDAP config would look like for Arrikto.
It's tested and confirmed to work.
Of course, users can substitute any values they want or use an already existing LDAP user schema.
|
|
||
| </details> | ||
|
|
||
| 2. To use your LDAP/AD server with Dex, you have to edit the Dex config.To edit the ConfigMap containing the Dex config, run: |
There was a problem hiding this comment.
Change "run" to "follow these steps" - because the reader expects a command to follow the word "run", but instead comes across some steps with text.
|
|
||
| # The attribute to display in the provided password prompt. If unset, will | ||
| # display "Username" | ||
| usernamePrompt: Arrikto username |
There was a problem hiding this comment.
Same comment about the use of "Arrikto" in this section - is it just an example, or is it required because the user is using Arrikto software?
| # Required field for connector name. | ||
| name: LDAP | ||
| config: | ||
| # Host and optional port of the LDAP server in the form "host:port". |
There was a problem hiding this comment.
These comments within the config file are great. If possible, it would be good to have similar comments in the LDAP setup files above, explaining the use of usernames, etc. See my previous comment about providing example names.
| {{< /highlight >}} | ||
|
|
||
| 1. Restart the Dex deployment, by doing one of the following: | ||
| * Force recreation, by deleting the Dex deployment's Pod(s). |
There was a problem hiding this comment.
Can we give an idea of what the Pod names are or look like, and a sample command for deleting them?
There was a problem hiding this comment.
Of course.
I should give more information here.
|
|
||
| 1. Restart the Dex deployment, by doing one of the following: | ||
| * Force recreation, by deleting the Dex deployment's Pod(s). | ||
| * Trigger a rolling update, by adding/updating a label on the PodTemplate of the Dex deployment. |
There was a problem hiding this comment.
Can we explain how to add/update a label, or link to docs that explain the process?
|
@sarahmaddox of course, I'd love to participate. In addition, thanks for all the comments! I will take another pass asap. |
|
Is this tutorial aimed at just on-prem clusters, or is this meant to be a generic platform-agnostic guide? Who is the target user? We're in the process of re-organizing the getting started section, and we're not entirely sure where this should be categorized |
|
Hi @dansanche . That being said, the only requirement is a Kubernetes Cluster so it will work for any existing cluster. |
sarahmaddox
added
the
doc-sprint
Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
|
@sarahmaddox thanks for all the feedback. |
|
Nice! /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sarahmaddox The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
sarahmaddox
added
doc-sprint-2019-07
and removed
doc-sprint
This PR extends the documentation on existing_arrikto and adds instructions for connecting with LDAP/AD
cc @sarahmaddox
Signed-off-by: Yannis Zarkadas yanniszark@arrikto.com
This change is